|
http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=1754 [º¹»ç]
pwnable ¹®Á¦¸¦ Ç®°íÀִµ¥
#include <stdio.h>
#include <alloca.h>
#include <fcntl.h>
unsigned long long key;
char buf[100];
char buf2[100];
int fsb(char** argv, char** envp){
char* args[]={"/bin/sh", 0};
int i;
char*** pargv = &argv;
char*** penvp = &envp;
char** arg;
char* c;
for(arg=argv;*arg;arg++) for(c=*arg; *c;c++) *c='\0';
for(arg=envp;*arg;arg++) for(c=*arg; *c;c++) *c='\0';
*pargv=0;
*penvp=0;
for(i=0; i<4; i++){
printf("Give me some format strings(%d)\n", i+1);
read(0, buf, 100);
printf(buf);
}
printf("Wait a sec...\n");
sleep(3);
printf("key : \n");
read(0, buf2, 100);
unsigned long long pw = strtoull(buf2, 0, 10);
if(pw == key){
printf("Congratz!\n");
execve(args[0], args, 0);
return 0;
}
printf("Incorrect key \n");
return 0;
}
int main(int argc, char* argv[], char** envp){
int fd = open("/dev/urandom", O_RDONLY);
if( fd==-1 || read(fd, &key, 8) != 8 ){
printf("Error, tell admin\n");
return 0;
}
close(fd);
alloca(0x12345 & key);
fsb(argv, envp); // exploit this format string bug!
return 0;
}
À§ÀÇ printf(buf)ºÎºÐÀ» °ø°ÝÇϴ°Š°°Àºµ¥ ÀÎÅͳÝÀ» µ¹¾Æ´Ù´Ï¸é¼ ¹è¿î°ÍµéÀº ÀüºÎ AAAA%x%x%x.....ÀÌ·±½ÄÀ¸·Î ÀÔ·ÂÀ» ³Ö¾î¼ ¸î¹ø° Æ÷¸ËÀÎÀÚ°¡ ¸Ç¾ÕÀÇ ½ºÆ®¸µÀ» ¹Þ´ÂÁö È®ÀÎÇÑ ÈÄ¿¡ °Å±â¿¡ ÁÖ¼Ò°ªÀ» ³Ö°í °ø°ÝÀ» Çϴµ¥ buf°¡ Àü¿ªº¯¼ö¶ó Á» ´Ù¸£°Ô ³ª¿À´õ¶ó±¸¿ä.. Àü¿ªº¯¼öÀÏ °æ¿ì¿¡´Â ¾î¶²½ÄÀ¸·Î ÇؾßÇϳª¿ä |
Hit : 4491 Date : 2014/07/14 11:17
|
1576, 
1/79 
letmeln
